|
1 | | -name: Java CI with Maven |
| 1 | +name: Sign jars and internal native libraries |
2 | 2 |
|
3 | 3 | on: |
4 | 4 | push: |
|
8 | 8 |
|
9 | 9 | jobs: |
10 | 10 | build: |
11 | | - |
12 | 11 | runs-on: macos-latest |
13 | 12 |
|
14 | 13 | steps: |
15 | | - - uses: actions/checkout@v3 |
16 | | - |
| 14 | + - name: Checkout code |
| 15 | + uses: actions/checkout@v3 |
| 16 | + |
17 | 17 | - name: Set up JDK 17 |
18 | 18 | uses: actions/setup-java@v3 |
19 | 19 | with: |
20 | 20 | java-version: '17' |
21 | 21 | distribution: 'temurin' |
22 | 22 |
|
23 | | - - name: Sign JARs |
| 23 | + - name: Codesign Internal Native Libraries |
| 24 | + env: |
| 25 | + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} |
| 26 | + MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} |
24 | 27 | run: | |
25 | | - # Export secrets as environment variables |
26 | | - export JARSIGNER_KEYSTORE_B64=${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }} |
27 | | - export JARSIGNER_STOREPASS=${{ secrets.JARSIGNER_REL_STOREPASS }} |
28 | | - export JARSIGNER_ALIAS=${{ secrets.JARSIGNER_REL_ALIAS }} |
29 | | -
|
30 | | - # Set up the keystore file path |
31 | | - KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}" |
32 | | - echo "Keystore file: ${KEYSTORE_FILE}" |
| 28 | + # Step 1: Decode and import the certificate into a keychain |
| 29 | + echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 |
| 30 | + /usr/bin/security create-keychain -p espressif build.keychain |
| 31 | + /usr/bin/security default-keychain -s build.keychain |
| 32 | + /usr/bin/security unlock-keychain -p espressif build.keychain |
| 33 | + /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign |
| 34 | + /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain |
33 | 35 |
|
34 | | - # Decode and save the base64-encoded keystore to the file |
35 | | - printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}" |
36 | | -
|
37 | | - # Sign all JAR files located in the specified directory |
| 36 | + # Step 2: Define the directory containing the JARs and native libraries |
38 | 37 | LIB_DIR="${PWD}/BUNDLES/com.espressif.idf.serial.monitor/lib" |
39 | | - echo "Signing JAR files in ${LIB_DIR}" |
| 38 | +
|
| 39 | + # Step 3: Extract, sign native libraries, and repackage JARs |
40 | 40 | for jar in "${LIB_DIR}"/*.jar; do |
41 | | - echo "Signing JAR file: ${jar}" |
42 | | - jarsigner -keystore "${KEYSTORE_FILE}" \ |
43 | | - -storepass "${JARSIGNER_STOREPASS}" \ |
44 | | - -signedjar "${jar}" \ |
45 | | - "${jar}" "${JARSIGNER_ALIAS}" |
46 | | - done |
| 41 | + echo "Processing JAR file: ${jar}" |
| 42 | +
|
| 43 | + # Create a temporary directory to extract the JAR contents |
| 44 | + TEMP_DIR=$(mktemp -d) |
| 45 | + unzip -q "$jar" -d "$TEMP_DIR" |
| 46 | +
|
| 47 | + # Find and sign all .jnilib and .dylib files in the extracted JAR directory |
| 48 | + find "$TEMP_DIR" -name "*.jnilib" -o -name "*.dylib" | while read lib; do |
| 49 | + echo "Signing native library: ${lib}" |
| 50 | + /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" --timestamp --deep "$lib" |
| 51 | + done |
47 | 52 |
|
48 | | - # Clean up the keystore file |
49 | | - rm -v "${KEYSTORE_FILE}" |
| 53 | + # Repackage the signed JAR |
| 54 | + pushd "$TEMP_DIR" |
| 55 | + zip -r "$jar" * |
| 56 | + popd |
| 57 | +
|
| 58 | + # Clean up temporary directory |
| 59 | + rm -rf "$TEMP_DIR" |
| 60 | + done |
50 | 61 |
|
51 | 62 | - name: Upload Signed JAR Files |
52 | 63 | if: ${{ !cancelled() }} |
|
0 commit comments